On January 14, the French data protection authority (the "CNIL") released a proposal for a set of practical requirements for placing cookies in web-based and mobile application environments (the "Recommendations").
The Recommendations1 follow the CNIL’s publication in July 2019 of guidelines summarizing the applicable cookies framework and its later consultation with stakeholders in the fall. The Recommendations are open to public consultation until February 25, 2020. Interested parties can vote on or contribute feedback on the Recommendations on the CNIL website.
Here is a summary of the ingredients in the Recommendations’ "recipe" for compliance:
- To start with, use good flour, i.e., a cookies management tool. The tool should be deployed on websites and mobile applications in a manner that will collect a valid consent. This is stating the obvious. However, getting the main ingredient right is not always that easy, especially for the privacy aspects of cookies.2
- Chocolate chip cookies and snickerdoodles are not the same. Provide a clear, concise description of the cookies’ purposes. The Recommendations suggest a granular categorization of cookies (e.g., differentiating between personalized and geo-located advertising and specifically indicating if cookies are used for social media sharing). They also provide examples of acceptable design for a layered approach. As a best practice (and to please the gourmets asking for all of the details of your recipe), the Recommendations encourage providing details on the nature of the personal data collected for each purpose.
- Homemade or store-bought? Who baked them? Provide an exhaustive list of controllers and scope of consent. The Recommendations advocate for having information on all relevant controllers available to users both at the level of the cookies management tool and as a separate section on the website/mobile application. This information should be updated periodically and accurate. Re-consent of users should be obtained whenever substantial changes are made to the list (though the Recommendations are not specifying what would be considered substantial changes).
- Not everyone will eat your cookies. Record user preferences, including refusal to consent. The Recommendations give similar temporal consideration to consent and refusal to consent. In other words, once a user refuses to consent to some or all cookies, his or her choice must be respected for the same period as that for those users who consented to the placing of cookies. This should prevent repeated attempts to obtain user consent following a refusal.
- What will you be eating next? Recognize that browser settings in the future may likely allow compliance with the EU framework. Recognizing that most browsers are not yet ready to deploy a cookies management settings system in line with the EU framework, the Recommendations nevertheless are calling for development in this area and providing some best practices for it.
The Recommendations are the latest recipe in the cookbook that organizations can reference to better understand what needs to be done to prepare their cookies' practices to conform with the existing ePrivacy directive and the EU General Data Protection Regulation. With many different recipes out there (such as those of the UK data ICO3, the Dutch APG,4 the Spanish AEPD,5 and the German Association for Data Protection and Data Security6) and enforcement actions starting (e.g., the recent case where the Belgian DPA7 issued a fine amounting to 1% of the organization’s annual turnover), preventing indigestion will require some consideration of the best recipe for the organization and then carefully following it.
2 For some examples of challenges ahead of consent management platforms, see, "Dark Patterns after the GDPR: Scrapping Consent Pop-ups and Demonstrating Their Influence" (M. Nouwens, I. Liccardi, M. Veale, D. Karger and L. Kagal), 2020.